Release Signing of device-flasher
Can you please sign releases of the device-flasher
?
Today I wanted to install CalynxOS on a device, but I abandoned it when I realized that it's still not possible to securely download and verify all of the tools needed to install CalynxOS.
As of 2021, it's now possible to download the CalynxOS factory image and then cryptographically verify its authenticity and integrity using minisign
- https://calyxos.org/install/devices/oriole/linux/#verify-signature
- https://calyxos.org/install/verify/
- #108 (closed)
However, installing CalynxOS on a Pixel in Linux also requires downloading a file device-flasher.linux
Unfortunately, there is no way to cryptographically verify the authenticity and integrity of the devicer-flasher.linux
file after download.
This introduces a plethora of attack vectors to users who are downloading CalynxOS for the first time. For a short list of historically relevant cases where such attacks have been waged against other Open Source projects and their users, see:
To provide a means for CalynxOS users to verify the authenticity and integrity of their CalynxOS installs, please:
- Sign your
device-flasher
releases using a tool such asGPG
,minisign
,signify
, or similar - Add sections to your install instructions that tell the user how to
Verify Signature
of thedevice-flasher.linux
file after downloading it